in Malware reverseengineering

Analyzing Malicious Windows Programs

Windows API

  • The way to interact with Windows
  • Implemented with DLLs (Dynamic Link Library)
    • kernel32.dll and ntdll.dll interact with kernel


  • A resource container
  • Each process has its own
    • virtual address space
    • threads
    • Bookkeeping information


  • Scheduled and executed by the OS
  • A process contains one or more threads
  • Has own thread contest and stack


  • Used to store OS and program configuration information such as settings and options
  • Malware often uses the registry for persistence
  • API : RegOpenKey, RegSetValue,RegEnumKey


  • Similar to a process
  • Gets installed onto disk/registry
  • Malware can get persistence by installing as a service and then scheduling the service to run at startup. The user will not see the service in the normal process menu.
  • HKLM\SYSTEM\CurrentControlSet\Services\
  • API : CreateService, OpenSCServiceManager, EunmDependentServices


  • Abstract pointer to something

COM (Component Object Model)

  • Code sharing
  • COM servers offer up implementation
    • Identified by GUIDs, CLSIDs, and IIDs
  • COM clients use the interface to exec the implmentation